Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

Canada’s latest National Cyber Security Strategy was published in the final days of Prime Minister Trudeau’s government. Although the National Cyber Security Strategy was not well received, one of its most welcome ideas was the Canadian Cyber Defence Collective (CCDC).

The CCDC is envisioned as a “national multi-stakeholder engagement body to advance Canada’s cyber resilience through direct public-private partnership on national-level cyber security challenges, policy priorities, and defence efforts.” In other words, the idea is to bring together individuals from industry, academia, government, education, critical infrastructure into one room to talk cyber defence. This is something that the private sector and academics have suggested for some time, so it was very well received.

With such support and focus on public engagement, surely there should be more public announcements or engagement related to this idea…. right?

Share

Unfortunately, no. Despite the widespread support for the CCDC, the government has been very quiet about what it is doing with these organizations. It was not until the Communications Security Establishment (CSE) Annual Report in June 2025 that we got some more information. And it was not much.

The report reveals that there will be two separate forums to the CCDC, an Operations Forum and a Strategic Forum. The National Cyber Security Strategy did not explicitly state that there would be two different forums for the CCDC. However, on a second reading of the strategy, it refers to a CCDC co-chair (Operations) and a CCDC co-chair (Policy), suggesting that some thought had already been given to this dual structure when the CCDC was first announced. Nevertheless, here we are with two separate forums being developed in ways that do not align with what was communicated in the National Cyber Security Strategy.

What is confusing, however, is that CSE’s annual report talks about the CCDC in both present and future tense. As a result, simply reading this report is not enough to understand what is going on with the CCDC forums because of their lack of consistency. As an example, the section of the report ends with “Like with the CCDC-O, work to stand up the CCDC-SF is currently underway.” However, the previous paragraph states that “an initial meeting for one CCDC subgroup was held in January 2025.” Based on the paragraph about CCDC-O, we can infer that they are referring to CCDC-O. This suggests that the CCDC-O is not currently being stood up but is, in fact, already created if it is holding meetings. What makes this particularly interesting is that Canada’s latest National Cyber Security Strategy was released on February 6, 2025. A kind interpretation of this would be that a meeting of government stakeholders is meeting to work out the specifics of industry and civil society engagement, but this is reading between the lines and is not what the document says.

Taking the Public out of Public-Private Partnerships

Regardless of the current status of the CCDC forums, the Government of Canada’s current messaging about them is confusing and potentially misleading. This is not a good sign for a program that is meant to be the face of the government’s new public-private partnership approach to cyber security and cyber defence.

The entire point of a public-private partnership, or a whole-of-society partnership as the National Security Strategy describes it, is to include the public in the process. While it is perhaps debatable about the degree to which this is required in its creation, the lack of engagement or outreach is leaving many to guess about what to expect in the first place.

Public Safety Canada and CSE must be careful about making these forums a one-way street. The true power and validity that comes with such an organization is to build value for organizations and individuals to be involved with the CCDC in the first place. If the CCDC is developed to placate industry and the private sector without contributing to any meaningful development of policy or public-private cooperation will mean that it will be dead before it gets started.

What does the Federal Budget Say?

The federal budget says little, except that the government is putting very little money into supporting the National Cyber Security Strategy. The federal government is providing $34 million over the next five years, with $28 million of that in the first two years. Compare this with the 2018 National Cyber Security Strategy, which received approximately $500 million over five years to support the strategy. It is quickly apparent that the federal government is not making a significant investment in the 2025 National Cyber Security Strategy, which raises questions about what will happen to the CCDC. Without a doubt, the CCDC will be created, but how strong will the government be in supporting the mechanisms promised in the strategy? So far, all we have to indicate is the small section in the CSE’s annual report and the approximately 99.9985% reduction in budget for the new National Cyber Security Strategy.

In other words, Prime Minister Carney’s government is providing significantly less support for the Canadian National Cyber Security Strategy compared to Prime Minister Trudeau’s government. Further, it is currently unclear how this limited amount of money will be prioritized. Although the CCDC is a major cornerstone to the federal government’s National Cyber Security Strategy, the lack of prioritization of support for the strategy is not a positive sign.

Although the government appears to not be providing significant support for then National Cyber Security Strategy, it is looking to support the cyber security industry through other avenues. In paticular, cyber and cyber security is mentioned multiple times throughout the budget related to defence investments and the Defence Industrial Strategy. Despit these claims, the only overt funding or investment is a $10.9 billion investment into DND/CAF and CSE for digital infrastructure and $656.9 million to ISED to “develop and commercialize dual civil-military technologies” including in cybersecurity.

This funding is well received, but specific investments into cyber security businesses are unlikely to lead to much change in the federal governance and policymaking concerning cyber security and largely treats cyber security as just another industry and not a domain where Canadians and the government are actively being attacked and harmed.

The budget shows Prime Minister Carney does not appear to look at cyberspace and the internet as a threat domain, but just another area for investment and economic growth.

So What?

With any government change there is likely to be a change in how certain issues are treated and cyber security is one of them. Through the first half of Justin Trudeau’s tenure as Prime Minister, there was a significant focus on e-government and cyber security. However, once the pandemic hit, this declined significantly. The stark differences between the 2018 National Cyber Security Strategy and the 2025 National Cyber Security Strategy show that the federal government is no longer treating cyber security as a top issue.

Cyber security is an industry just as much as it is a security practice that requires a whole-of-society engagement to improve the cyber security of all Canadians. Investment into cyber security is not enough to improve cyber security for Canadians. The CCDC was promised as the flagship to Canada’s new public-private partnership or whole-of-society approach to cyber security, but current signs are not positive that the current government shares the same views on this approach.

The public-private partnership and CCDC engagement have been praised for its productive contributions and benefits in other countries, particularly the United States where such activities have been dismantled under President Trump. Cyber security and cyberspace is a multi-stakeholder environment that requires cooperation and collaboration for efficiency and to ensure all Canadians are protected and helped.

The average cost of a cyber security breach in Canada rose to $6.98 million in 2025, which is one of the few countries where costs rose instead of fell. Under the federal budget, the federal government is promising more business investments into dual-use capabilities which might go to cyber security that maybe could help the average Canadian with cyber security. This is unlikely to do much to address the cyber security for Canadians.

Share